| name | dependency-update |
| description | Safe dependency update workflow. Use when upgrading packages, resolving vulnerability alerts, updating major versions, or auditing dependency health across project ecosystems. |
| license | MIT |
| metadata | {"author":"samuel","version":"1.0","category":"workflow"} |
Dependency Update Skill
Safe and systematic dependency updates with vulnerability management, license checking, and rollback planning.
When to Use
| Trigger | Priority | Description |
|---|
| Security Vulnerability | Critical | Known CVE in dependency |
| Monthly Maintenance | High | Regular update cycle |
| Major Version | Medium | New major version available |
| Pre-Release | High | Before production deployments |
| Breaking Bug | Critical | Bug in current dependency |
Update Strategy
Update Types
| Type | Risk | Frequency | Testing |
|---|
| Patch (x.x.1) | Low | Weekly/Auto | Basic |
| Minor (x.1.0) | Low-Medium | Monthly | Standard |
| Major (1.0.0) | High | Quarterly | Comprehensive |
Semantic Versioning
MAJOR.MINOR.PATCH
│ │ │
│ │ └── Bug fixes (backward compatible)
│ └──────── New features (backward compatible)
└────────────── Breaking changes
Prerequisites
Before starting:
Update Process
Phase 1: Audit Dependencies
↓
Phase 2: Check Vulnerabilities
↓
Phase 3: Check License Compatibility
↓
Phase 4: Plan Updates
↓
Phase 5: Execute Updates
↓
Phase 6: Test & Validate
↓
Phase 7: Document & Deploy
Phase 1: Audit Dependencies
List outdated dependencies using ecosystem-specific tools:
npm outdated
pip list --outdated
go list -u -m all
cargo outdated
bundle outdated
Create update inventory prioritizing direct dependencies over transitive ones.
Phase 2: Check Vulnerabilities
Run security audits:
Prioritize by severity: Critical (hours) → High (days) → Moderate (weeks) → Low (monthly).
Phase 3: Check License Compatibility
Check licenses before adding dependencies:
Avoid: GPL-3.0, AGPL-3.0, SSPL, Unlicensed (require legal review).
Safe: MIT, Apache-2.0, BSD, ISC.
Phase 4: Plan Updates
Priority: Security → Patches → Minor → Major
Update strategies:
- Individual: Major updates, risky dependencies
- Batched: Patches and minor updates together
- All at once: Only for fresh projects with comprehensive tests
Create update plan grouping by priority and risk level.
Phase 5: Execute Updates
Create branch: git checkout -b chore/dependency-updates-YYYY-MM
Update commands by ecosystem:
Verify lock files updated. Commit with descriptive messages following conventional commits.
Phase 6: Test & Validate
Run comprehensive validation:
For major updates, verify critical paths manually.
Phase 7: Document & Deploy
Create PR documenting:
- Security fixes with CVE numbers
- Package updates table
- Breaking changes addressed
- Testing checklist completed
- Rollback plan
Deploy: Dev → Staging → Production (with validation at each stage).
Rollback Procedures
If Tests Fail
git checkout package.json package-lock.json
npm install
If Production Issues
git revert <update-commit-hash>
npm install
Pin Problematic Dependency
{
"dependencies": {
"problematic-package": "1.2.3"
},
"resolutions": {
"problematic-package": "1.2.3"
}
}
Quick Reference
Commands by Language
| Task | Node.js | Python | Go | Rust |
|---|
| List outdated | npm outdated | pip list --outdated | go list -u -m all | cargo outdated |
| Security audit | npm audit | pip-audit | govulncheck ./... | cargo audit |
| Update all | npm update | pip install -U | go get -u ./... | cargo update |
| Update one | npm install pkg@ver | pip install pkg==ver | go get pkg@ver | cargo update -p pkg |
Checklist
Pre-Update
During Update
Post-Update
Related Workflows
Extended Resources
For detailed per-ecosystem commands, verbose examples, and automation configuration, see: